Spoofing Vulnerability in .NET and Visual Studio by Microsoft
CVE-2025-26646

8HIGH

Key Information:

Vendor: Microsoft
Status: .net 8.0; .net 9.0; Microsoft Visual Studio 2022 Version 17.12; Microsoft Visual Studio 2022 Version 17.13
Vendor: CVE Published:; 13 May 2025

What is CVE-2025-26646?

An external control of file name or path in the .NET Framework, Visual Studio, and Build Tools for Visual Studio enables an authorized attacker to manipulate file paths, leading to potential spoofing attacks over a network. This vulnerability can allow an attacker to execute unauthorized commands or access sensitive information, jeopardizing the integrity and security of applications developed using these platforms.

Affected Version(s)

.NET 8.0 Unknown 8.0.0 < 8.0.16

.NET 9.0 Unknown 9.0.0 < 9.0.5

Build Tools for Visual Studio 2022 Unknown 17.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2025
Vulnerability Reserved
Feb 12, 2025